Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help With The Vundo Virus Thing Please


  • Please log in to reply
17 replies to this topic

#1 cain2152

cain2152

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 15 August 2008 - 11:42 AM

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:02 PM, on 8/15/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lexmark X1100 Series\LXBKbmgr.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [lxbkbmgr.exe] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TrayServer] C:\Program Files\MAGIX\Movie_Edit_Pro_14_PLUS_Download_version\TrayServer.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RMTray.exe /QS
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [564f4b05] rundll32.exe "C:\Users\William\AppData\Local\Temp\orwtgxsm.dll",b
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\William\AppData\Local\Temp\fccbBRji.dll,c
O4 - HKCU\..\Run: [BM557c7899] Rundll32.exe "C:\Users\William\AppData\Local\Temp\ttpignlb.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/...NPUplden-us.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: lxbk_device - - C:\Windows\system32\lxbkcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Stardock WindowBlinds (WindowBlinds) - Stardock Corporation - C:\Program Files\Stardock\MyColors\VistaSrv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11829 bytes

BC AdBot (Login to Remove)

 


#2 cain2152

cain2152
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 15 August 2008 - 04:20 PM

Bump

#3 cain2152

cain2152
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 15 August 2008 - 05:37 PM

bump

#4 cain2152

cain2152
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 15 August 2008 - 10:28 PM

bump

#5 cain2152

cain2152
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 16 August 2008 - 06:27 AM

bump

#6 cain2152

cain2152
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 16 August 2008 - 10:30 AM

bump

#7 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:11:53 PM

Posted 16 August 2008 - 10:35 AM

Hi cain2152

If you have a previous version of Combofix on your system... please remove it first.

Please download ComboFix

**Note: It is important that it is saved directly to your desktop**

There are full instructions on how to download and run ComboFix here:
How to use ComboFix
Please follow all the instructions to the letter...(this is very important)

Please ensure that you install the Recovery Console.
If it's not already installed on your machine

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
Note: Do not mouseclick combofix's window while its running. This may cause it to stall

When finished, it will produce a log for you. Post that log in your next reply along with a new Hjt log.

Thanks.

BBPP6nz.png


#8 cain2152

cain2152
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 16 August 2008 - 12:22 PM

ComboFix 08-08-15.04 - William 2008-08-16 13:04:21.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1993 [GMT -4:00]
Running from: C:\Users\William\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\William\AppData\Local\Temp\xetmxcni.dll
C:\Users\William\AppData\Roaming\inst.exe
C:\Users\William\AppData\Roaming\Microsoft\dtsc
C:\Users\William\AppData\Roaming\Microsoft\dtsc\RegCure.1.x.x.x-Patch_CiM.torrent
C:\Users\William\AppData\Roaming\Microsoft\dtsc\RegCure.1.x.x.x-Patch_CiM.zip
C:\Users\William\AppData\Roaming\Microsoft\dtsc\s
C:\Users\William\AppData\Roaming\rhcjr6j0ev5b
C:\Windows\icon.ico
C:\Windows\system32\kHAQheeD.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-16 to 2008-08-16 )))))))))))))))))))))))))))))))
.

2008-08-15 12:39 . 2008-08-15 12:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 03:07 . 2008-07-15 21:32 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-13 16:30 . 2008-06-18 23:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-13 16:30 . 2008-04-18 01:48 269,312 --a------ C:\Windows\System32\es.dll
2008-08-13 16:29 . 2008-06-26 21:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-13 16:29 . 2008-06-27 00:15 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-13 16:29 . 2008-04-10 01:12 738,304 --a------ C:\Windows\System32\inetcomm.dll
2008-08-08 17:58 . 2008-08-08 18:14 <DIR> d-------- C:\Users\William\AppData\Roaming\Winamp
2008-08-08 14:58 . 2008-08-08 17:58 <DIR> d-------- C:\Program Files\Winamp
2008-08-04 16:18 . 2008-08-04 16:18 15,897,088 --a------ C:\Windows\System32\imageres.dll
2008-08-04 16:16 . 2008-08-04 16:16 5,760,054 --a------ C:\Windows\Invader1600.bmp
2008-08-04 16:16 . 2008-08-04 16:16 3,932,214 --a------ C:\Windows\Invader1280.bmp
2008-08-04 16:16 . 2008-08-04 16:16 2,359,350 --a------ C:\Windows\Invader1024.bmp
2008-08-04 16:12 . 2008-08-04 16:12 <DIR> d--h----- C:\Users\All Users\{F0297D39-7A45-442F-AFF5-271488E85934}
2008-08-04 16:12 . 2008-08-04 16:12 <DIR> d--h----- C:\ProgramData\{F0297D39-7A45-442F-AFF5-271488E85934}
2008-08-04 16:12 . 2008-08-04 16:12 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-08-04 16:12 . 2008-08-04 16:12 7,027,254 --a------ C:\Windows\Invader1920.bmp
2008-08-04 15:30 . 2008-08-04 16:16 <DIR> d-------- C:\Users\All Users\Stardock
2008-08-04 15:30 . 2008-08-04 16:16 <DIR> d-------- C:\ProgramData\Stardock
2008-08-04 15:30 . 2008-08-04 16:12 <DIR> d-------- C:\Program Files\Stardock
2008-08-04 12:31 . 2008-08-04 12:44 <DIR> d-------- C:\Program Files\Symantec
2008-08-04 12:31 . 2008-08-04 12:47 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-08-04 12:31 . 2008-08-04 12:44 123,952 --a------ C:\Windows\System32\drivers\SYMEVENT.SYS
2008-08-04 12:31 . 2008-08-04 12:44 10,671 --a------ C:\Windows\System32\drivers\SYMEVENT.CAT
2008-08-04 12:31 . 2008-08-04 12:44 805 --a------ C:\Windows\System32\drivers\SYMEVENT.INF
2008-08-04 10:34 . 2008-08-04 10:34 <DIR> d-------- C:\Program Files\CCleaner
2008-08-03 22:10 . 2008-08-03 22:10 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-02 10:40 . 2008-08-03 23:37 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-08-02 10:40 . 2008-08-03 23:37 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-08-02 10:40 . 2008-08-02 10:40 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-08-02 10:38 . 2008-08-02 10:38 <DIR> d-------- C:\kav
2008-07-25 10:42 . 2004-08-04 07:00 506,368 --a------ C:\Windows\System32\msxml.dll
2008-07-24 12:09 . 2008-07-24 12:09 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-07-24 11:26 . 2008-07-24 11:27 <DIR> d-------- C:\Program Files\Common Files\MAGIX Shared
2008-07-24 11:16 . 2008-07-24 11:16 <DIR> d-------- C:\Users\William\AppData\Roaming\MAGIX
2008-07-24 11:14 . 2008-07-24 11:26 <DIR> d-------- C:\Windows\System32\MAGIX
2008-07-24 11:14 . 2008-07-24 11:16 <DIR> d-------- C:\Users\All Users\MAGIX
2008-07-24 11:14 . 2008-07-24 11:16 <DIR> d-------- C:\ProgramData\MAGIX
2008-07-24 11:14 . 2008-07-24 11:16 <DIR> d-------- C:\Program Files\MAGIX
2008-07-24 11:14 . 2007-12-04 14:20 700,416 --a------ C:\Windows\System32\mgxoschk.dll
2008-07-24 11:14 . 2007-04-27 09:43 120,200 --a------ C:\Windows\System32\DLLDEV32i.dll
2008-07-24 11:14 . 2008-07-24 11:27 6,642 --a------ C:\Windows\mgxoschk.ini
2008-07-23 20:34 . 2008-07-23 20:34 <DIR> d-------- C:\Program Files\iTunes
2008-07-23 20:34 . 2008-07-23 20:34 <DIR> d-------- C:\Program Files\iPod
2008-07-23 20:32 . 2008-07-23 20:32 <DIR> d-------- C:\Program Files\QuickTime
2008-07-23 20:28 . 2008-07-23 20:28 <DIR> d-------- C:\Program Files\Safari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-15 23:58 --------- d-----w C:\Users\William\AppData\Roaming\uTorrent
2008-08-15 13:55 --------- d-----w C:\Users\William\AppData\Roaming\Apple Computer
2008-08-14 07:14 --------- d-----w C:\Program Files\Windows Mail
2008-08-14 07:08 --------- d-----w C:\ProgramData\Microsoft Help
2008-08-08 20:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-05 15:31 --------- d-----w C:\Program Files\AviSynth 2.5
2008-08-05 15:30 --------- d-----w C:\Program Files\Azureus
2008-08-04 22:22 --------- d-----w C:\ProgramData\Symantec
2008-08-04 16:47 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-02 15:06 112,144 ----a-w C:\Windows\system32\drivers\kl1.sys
2008-07-30 21:42 23,888 ----a-w C:\Windows\system32\drivers\COH_Mon.sys
2008-07-30 21:28 706 ----a-w C:\Windows\system32\drivers\COH_Mon.inf
2008-07-30 21:28 10,537 ----a-w C:\Windows\system32\drivers\coh_mon.cat
2008-07-29 17:51 --------- d-----w C:\Program Files\Real Alternative
2008-07-17 23:46 194 ----a-w C:\Users\William\AppData\Roaming\wklnhst.dat
2008-07-13 01:28 --------- d-----w C:\Program Files\Full Tilt Poker
2008-07-10 23:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-10 23:32 --------- d-----w C:\ProgramData\NVIDIA
2008-07-10 13:35 32,000 ----a-w C:\Windows\system32\drivers\usbaapl.sys
2008-07-10 03:13 --------- d-----w C:\Program Files\Dream Aquarium
2008-06-25 01:32 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-06-25 01:30 --------- d-----w C:\Users\William\AppData\Roaming\SUPERAntiSpyware.com
2008-06-25 01:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-24 20:33 --------- d-----w C:\Program Files\PokerStars.NET
2008-06-24 20:00 --------- d-----w C:\Program Files\PokerStars
2008-06-20 17:31 118,960 ----a-w C:\Windows\ThemeMgrInstall.exe
2008-06-16 20:52 --------- d-----w C:\Users\William\AppData\Roaming\Template
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-05-22 14:15 174 --sha-w C:\Program Files\desktop.ini
2008-03-12 20:19 47,360 ----a-w C:\Users\William\AppData\Roaming\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 14:09 460784]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 03:33 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 03:33 125952]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-24 21:35 1506544]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 03:36 2153472 C:\Windows\System32\oobefldr.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 13:37 81920]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 13:35 221184]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 12:22 221184]
"lxbkbmgr.exe"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2007-04-26 13:02 74672]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-05-03 00:16 13535776]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-05-03 00:16 92704]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"TrayServer"="C:\Program Files\MAGIX\Movie_Edit_Pro_14_PLUS_Download_version\TrayServer.exe" [2008-02-07 12:00 90112]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RMTray.exe" [2007-08-20 10:58 701736]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-08-03 19:02 36352]

C:\Users\William\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-12-27 14:33:56 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\Windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-05-16 10:27 153136 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 16:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-03-14 19:50 233472 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{56F8CB7F-D24C-4A3C-95A5-DC26B8DB888D}"= UDP:C:\Windows\System32\lxbkcoms.exe:Lexmark Communications System
"{64D812D0-6C90-490A-85F2-D12B01E832D3}"= TCP:C:\Windows\System32\lxbkcoms.exe:Lexmark Communications System
"{3F033708-1589-4B87-A0AA-222F53759CC4}"= UDP:C:\Windows\System32\spool\drivers\w32x86\3\lxbkpswx.exe:Printer Status Window
"{AA2F352A-797D-47FE-B411-EBB42E069B2A}"= TCP:C:\Windows\System32\spool\drivers\w32x86\3\lxbkpswx.exe:Printer Status Window
"TCP Query User{E0058950-1F61-43E2-A31B-0C431F8B7153}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{A5FBF95F-F6C9-48C7-B343-2494D0DB6F94}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"{494C20B4-E44A-482D-8135-2246C8B08513}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{61DBE3C3-58DB-48F4-900F-693A0FA12478}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{0CE226CB-55EC-4E4A-AB71-BC5D685DFC63}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{8B58C0FE-0E2D-4E0E-BA85-E32FBBF59D88}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F3CFE1CD-A788-4929-ACEC-324196CD2EF9}"= Disabled:UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{ABE7E23F-168D-4FF7-B8B4-61D5D03DE6F5}"= Disabled:TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{32D4DC40-7E77-428D-B83E-348314534EAF}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{10A52335-C04B-4744-B96E-B2DFDFB5F92F}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"{88EE5E2F-BA7C-4441-8752-23AA726404B4}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{C19C8BB7-4A9D-449E-9779-689F48F5318C}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{81F12BB9-744D-4FC1-90E9-1C607E6D0448}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{8B5BEEE0-E244-40D6-A622-4C7B33C096AC}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{F77392A2-DB63-4BC9-A86D-13A1AC381091}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{7B7EA464-980E-450E-A60D-CD21D5E7B479}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{F6ACE513-F8E4-4CBF-8D15-0BE69CDFEB74}C:\\kav\\kav7\\setup.exe"= UDP:C:\kav\kav7\setup.exe:Kaspersky Anti-Virus 7.0 Setup
"UDP Query User{8EB4254A-CB64-4C3A-9ACD-C9EE636758E6}C:\\kav\\kav7\\setup.exe"= TCP:C:\kav\kav7\setup.exe:Kaspersky Anti-Virus 7.0 Setup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 DLARTL_M;DLARTL_M;C:\Windows\system32\Drivers\DLARTL_M.SYS [2007-02-08 21:05]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20080813.001\IDSvix86.sys [2008-07-16 18:53]
R2 AERTFilters;Andrea RT Filters Service;C:\Windows\system32\AERTSrv.exe [2007-12-05 06:17]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-14 11:02]
R2 lxbk_device;lxbk_device;C:\Windows\system32\lxbkcoms.exe [2007-04-26 13:01]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2008-06-13 14:13]
S3 COH_Mon;COH_Mon;C:\Windows\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 14:18]
S3 UMPass;Microsoft UMPass Driver;C:\Windows\system32\DRIVERS\umpass.sys [2008-01-19 01:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\shell\AutoRun\command - J:\CDStart.Exe
\shell\Install\Command - J:\Stub.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4edd5e88-b4a7-11dc-9ebc-806e6f6e6963}]
\shell\AutoRun\command - E:\autorun.exe
\shell\directx\command - E:\DirectX\dxsetup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-02 C:\Windows\Tasks\EasyShare Registration Task.job
- C:\Windows\system32\rundll32.exe [2006-11-02 05:45]

2008-08-16 C:\Windows\Tasks\Norton AntiVirus - Run Full System Scan - William.job
- C:\Program Files\Norton AntiVirus\Navw32.exe [2007-08-26 21:19]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-swg - C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
ShellExecuteHooks-{A7A4DFC1-32C7-4A3C-BFAC-21B526A00347} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\William\AppData\Roaming\Mozilla\Firefox\Profiles\pwf1feo6.default\


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-16 13:12:58
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Users\William\AppData\Local\Microsoft\Portable Devices\wpdlog01.sqm 472 bytes
C:\Users\William\AppData\Local\Microsoft\Portable Devices\wpdlog02.sqm 472 bytes
C:\Users\William\AppData\Local\Microsoft\Portable Devices\wpdlog03.sqm 472 bytes

scan completed successfully
hidden files: 3

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\nvvsvc.exe
C:\Windows\System32\audiodg.exe
C:\Program Files\Stardock\MyColors\VistaSrv.exe
C:\Program Files\Stardock\MyColors\WBVista.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Lexmark X1100 Series\LXBKbmon.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-08-16 13:18:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-16 17:18:19

Pre-Run: 233,624,633,344 bytes free
Post-Run: 233,650,008,064 bytes free

262 --- E O F --- 2008-08-14 07:09:11



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:21:58 PM, on 8/16/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Lexmark X1100 Series\LXBKbmgr.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Windows\System32\mobsync.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Safari\Safari.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [lxbkbmgr.exe] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TrayServer] C:\Program Files\MAGIX\Movie_Edit_Pro_14_PLUS_Download_version\TrayServer.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RMTray.exe /QS
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/...NPUplden-us.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: lxbk_device - - C:\Windows\system32\lxbkcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Stardock WindowBlinds (WindowBlinds) - Stardock Corporation - C:\Program Files\Stardock\MyColors\VistaSrv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10673 bytes

#9 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:11:53 PM

Posted 16 August 2008 - 02:04 PM

Hi cain2152

That's looking a lot better.
Not much to do this time.

Step 1
Run Hijackthis again, click scan, and Put a checkmark next to each of these items.
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

Optional
These lines are not bad, but they are not necessary to run at startup.
If you need them you can start them manually.
Ticking the following lines may save you valuable resources.

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')


Then close all other windows, browsers etc--you should only see HijackThis on your Desktop--and click the Fix Checked button.

Reboot your computer to complete the process.

Step 2
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u7...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
Step 3
Let's just double check things:

Please do an online scan with Kaspersky WebScanner.
Notes
Java must be installed and enabled for the scan to work.
Disable your computer's antivirus program as leaving it active will cause conflicts
  • Close ALL programs and windows except for your browser
    Please go to Online Kaspersky Scan and perform an online antivirus scan.
  • Read through the Requirements and limitations statement and click on the Accept button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, the scrolling window will show 'Database is updated. Ready to scan'. Click on the Settings button at the bottom left.
  • Make sure these boxes are checked/ticked. If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan on the left. OK any warnings from your protection programs.
  • Go for a long walk. Please be patient and let the scanner finish. It is better that you do NOT use the computer while the scan is running. Keep all other programs/windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan-ddmmyy before clicking on the Save button. Save the report to a convenient place - for example the Desktop.
  • Please post this log in your next reply.
Note - enable your antivirus program before browsing away from the Kaspersky site.

Go to the Desktop and double-click on the Kaspersky report KAVScan-ddmmyy.txt, it will open in Notepad
Click Edit > Select all then Edit > Copy
Reply to this thread and paste (Ctrl+V) the report.

In your next report, please submit:
Kaspersky scan results
and a new Hjt log

Thanks.

BBPP6nz.png


#10 cain2152

cain2152
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 16 August 2008 - 04:18 PM

It keeps saying I need to install java 1.6 or later to run the kaspersky scan. I installed the java and verifed it.

#11 cain2152

cain2152
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 16 August 2008 - 04:21 PM

Well I tried it with IE first then I tried it with Safari. It said I couldn't use safari so I did it with Fire Fox and know its working

#12 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:11:53 PM

Posted 17 August 2008 - 02:44 PM

Hi cain2152

Did you manage to get the Kaspersky scan to run?

BBPP6nz.png


#13 cain2152

cain2152
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 17 August 2008 - 04:01 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 17, 2008
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, August 16, 2008 22:19:45
Records in database: 1099215
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 155047
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 22:11:07


File name / Threat name / Threats count
C:\Users\William\Documents\Downloads\Kaspersky Internet Security 7.0 Latest Version Crack Clean with Keygen with Serial\kis8.0.0.357en.exe Infected: Trojan.Win32.Agent.xjc 1
C:\Users\William\Documents\Downloads\SUPERAntiSpyware Professional v4 15 1000 Latest + Keygen\SUPERAntiSpywarePro.exe Infected: Trojan.Win32.Monder.gen 1
C:\Windows\System32\Macromed\Shockwave 10\gt.exe Infected: Trojan-Downloader.Win32.Agent.aaza 1

The selected area was scanned.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:47 PM, on 8/17/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lexmark X1100 Series\LXBKbmgr.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [lxbkbmgr.exe] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TrayServer] C:\Program Files\MAGIX\Movie_Edit_Pro_14_PLUS_Download_version\TrayServer.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RMTray.exe /QS
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/...NPUplden-us.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: lxbk_device - - C:\Windows\system32\lxbkcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Stardock WindowBlinds (WindowBlinds) - Stardock Corporation - C:\Program Files\Stardock\MyColors\VistaSrv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10163 bytes

#14 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:11:53 PM

Posted 18 August 2008 - 03:35 AM

Hi cain2152

The results that Kaspersky are showing.... is pointing to downloads from P2P programs.

Once upon a time, P2P file sharing was fairly safe. That is no longer true.
You may decide to continue P2P sharing, but keep in mind that this practice may be the source of future malware infestation.
Additional information on the safety of Peer to Peer programs themselves is here : http://p2p.malwareremoval.com/
Regardless of the program used, the practice of file-sharing is very unsafe for the health of your PC.

Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
Folder::
C:\Users\William\Documents\Downloads\Kaspersky Internet Security 7.0
C:\Users\William\Documents\Downloads\SUPERAntiSpyware Professional v4

File::
C:\Windows\System32\Macromed\Shockwave 10\gt.exe
Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.
Posted Image

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

In your next reply, please submit:
New ComboFix.txt

and could you let me know how things are running now.

Thanks.

BBPP6nz.png


#15 cain2152

cain2152
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 18 August 2008 - 07:24 AM

ComboFix 08-08-15.04 - William 2008-08-18 7:56:42.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1886 [GMT -4:00]
Running from: C:\Users\William\Desktop\ComboFix.exe
Command switches used :: C:\Users\William\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Windows\System32\Macromed\Shockwave 10\gt.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\William\AppData\Roaming\Microsoft\Windows\Cookies\william@www.google[3].txt
C:\Windows\System32\Macromed\Shockwave 10\gt.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.

2008-08-16 17:13 . 2008-08-16 17:13 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-16 17:04 . 2008-08-16 17:04 <DIR> d-------- C:\Windows\Sun
2008-08-15 12:39 . 2008-08-15 12:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 03:07 . 2008-07-15 21:32 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-13 16:30 . 2008-06-18 23:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-13 16:30 . 2008-04-18 01:48 269,312 --a------ C:\Windows\System32\es.dll
2008-08-13 16:29 . 2008-06-26 21:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-13 16:29 . 2008-06-27 00:15 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-13 16:29 . 2008-04-10 01:12 738,304 --a------ C:\Windows\System32\inetcomm.dll
2008-08-08 17:58 . 2008-08-08 18:14 <DIR> d-------- C:\Users\William\AppData\Roaming\Winamp
2008-08-08 14:58 . 2008-08-08 17:58 <DIR> d-------- C:\Program Files\Winamp
2008-08-04 16:18 . 2008-08-04 16:18 15,897,088 --a------ C:\Windows\System32\imageres.dll
2008-08-04 16:16 . 2008-08-04 16:16 5,760,054 --a------ C:\Windows\Invader1600.bmp
2008-08-04 16:16 . 2008-08-04 16:16 3,932,214 --a------ C:\Windows\Invader1280.bmp
2008-08-04 16:16 . 2008-08-04 16:16 2,359,350 --a------ C:\Windows\Invader1024.bmp
2008-08-04 16:12 . 2008-08-04 16:12 <DIR> d--h----- C:\Users\All Users\{F0297D39-7A45-442F-AFF5-271488E85934}
2008-08-04 16:12 . 2008-08-04 16:12 <DIR> d--h----- C:\ProgramData\{F0297D39-7A45-442F-AFF5-271488E85934}
2008-08-04 16:12 . 2008-08-04 16:12 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-08-04 16:12 . 2008-08-04 16:12 7,027,254 --a------ C:\Windows\Invader1920.bmp
2008-08-04 15:30 . 2008-08-04 16:16 <DIR> d-------- C:\Users\All Users\Stardock
2008-08-04 15:30 . 2008-08-04 16:16 <DIR> d-------- C:\ProgramData\Stardock
2008-08-04 15:30 . 2008-08-04 16:12 <DIR> d-------- C:\Program Files\Stardock
2008-08-04 12:31 . 2008-08-04 12:44 <DIR> d-------- C:\Program Files\Symantec
2008-08-04 12:31 . 2008-08-04 12:47 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-08-04 12:31 . 2008-08-04 12:44 123,952 --a------ C:\Windows\System32\drivers\SYMEVENT.SYS
2008-08-04 12:31 . 2008-08-04 12:44 10,671 --a------ C:\Windows\System32\drivers\SYMEVENT.CAT
2008-08-04 12:31 . 2008-08-04 12:44 805 --a------ C:\Windows\System32\drivers\SYMEVENT.INF
2008-08-04 10:34 . 2008-08-04 10:34 <DIR> d-------- C:\Program Files\CCleaner
2008-08-03 22:10 . 2008-08-03 22:10 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-02 10:40 . 2008-08-03 23:37 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-08-02 10:40 . 2008-08-03 23:37 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-08-02 10:40 . 2008-08-02 10:40 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-08-02 10:38 . 2008-08-02 10:38 <DIR> d-------- C:\kav
2008-07-25 10:42 . 2004-08-04 07:00 506,368 --a------ C:\Windows\System32\msxml.dll
2008-07-24 12:09 . 2008-07-24 12:09 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-07-24 11:26 . 2008-07-24 11:27 <DIR> d-------- C:\Program Files\Common Files\MAGIX Shared
2008-07-24 11:16 . 2008-07-24 11:16 <DIR> d-------- C:\Users\William\AppData\Roaming\MAGIX
2008-07-24 11:14 . 2008-07-24 11:26 <DIR> d-------- C:\Windows\System32\MAGIX
2008-07-24 11:14 . 2008-07-24 11:16 <DIR> d-------- C:\Users\All Users\MAGIX
2008-07-24 11:14 . 2008-07-24 11:16 <DIR> d-------- C:\ProgramData\MAGIX
2008-07-24 11:14 . 2008-07-24 11:16 <DIR> d-------- C:\Program Files\MAGIX
2008-07-24 11:14 . 2007-12-04 14:20 700,416 --a------ C:\Windows\System32\mgxoschk.dll
2008-07-24 11:14 . 2007-04-27 09:43 120,200 --a------ C:\Windows\System32\DLLDEV32i.dll
2008-07-24 11:14 . 2008-07-24 11:27 6,642 --a------ C:\Windows\mgxoschk.ini
2008-07-23 20:34 . 2008-07-23 20:34 <DIR> d-------- C:\Program Files\iTunes
2008-07-23 20:34 . 2008-07-23 20:34 <DIR> d-------- C:\Program Files\iPod
2008-07-23 20:32 . 2008-07-23 20:32 <DIR> d-------- C:\Program Files\QuickTime
2008-07-23 20:28 . 2008-07-23 20:28 <DIR> d-------- C:\Program Files\Safari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-16 21:14 --------- d-----w C:\Program Files\Java
2008-08-15 23:58 --------- d-----w C:\Users\William\AppData\Roaming\uTorrent
2008-08-15 13:55 --------- d-----w C:\Users\William\AppData\Roaming\Apple Computer
2008-08-14 07:14 --------- d-----w C:\Program Files\Windows Mail
2008-08-14 07:08 --------- d-----w C:\ProgramData\Microsoft Help
2008-08-08 20:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-05 15:31 --------- d-----w C:\Program Files\AviSynth 2.5
2008-08-05 15:30 --------- d-----w C:\Program Files\Azureus
2008-08-04 22:22 --------- d-----w C:\ProgramData\Symantec
2008-08-04 16:47 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-02 15:06 112,144 ----a-w C:\Windows\system32\drivers\kl1.sys
2008-07-30 21:42 23,888 ----a-w C:\Windows\system32\drivers\COH_Mon.sys
2008-07-30 21:28 706 ----a-w C:\Windows\system32\drivers\COH_Mon.inf
2008-07-30 21:28 10,537 ----a-w C:\Windows\system32\drivers\coh_mon.cat
2008-07-29 17:51 --------- d-----w C:\Program Files\Real Alternative
2008-07-17 23:46 194 ----a-w C:\Users\William\AppData\Roaming\wklnhst.dat
2008-07-13 01:28 --------- d-----w C:\Program Files\Full Tilt Poker
2008-07-10 23:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-10 23:32 --------- d-----w C:\ProgramData\NVIDIA
2008-07-10 13:35 32,000 ----a-w C:\Windows\system32\drivers\usbaapl.sys
2008-07-10 03:13 --------- d-----w C:\Program Files\Dream Aquarium
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-25 01:32 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-06-25 01:30 --------- d-----w C:\Users\William\AppData\Roaming\SUPERAntiSpyware.com
2008-06-25 01:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-24 20:33 --------- d-----w C:\Program Files\PokerStars.NET
2008-06-24 20:00 --------- d-----w C:\Program Files\PokerStars
2008-06-20 17:31 118,960 ----a-w C:\Windows\ThemeMgrInstall.exe
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-05-27 05:21 1,582,592 ----a-w C:\Windows\System32\tquery.dll
2008-05-27 05:21 1,418,240 ----a-w C:\Windows\System32\mssrch.dll
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\SearchFilterHost.exe
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\mssitlb.dll
2008-05-27 05:17 754,176 ----a-w C:\Windows\System32\propsys.dll
2008-05-27 05:17 60,416 ----a-w C:\Windows\System32\msscntrs.dll
2008-05-27 05:17 6,103,040 ----a-w C:\Windows\System32\chtbrkr.dll
2008-05-27 05:17 34,816 ----a-w C:\Windows\System32\msscb.dll
2008-05-27 05:17 32,768 ----a-w C:\Windows\System32\mssprxy.dll
2008-05-27 05:17 313,344 ----a-w C:\Windows\System32\thawbrkr.dll
2008-05-27 05:17 301,568 ----a-w C:\Windows\System32\srchadmin.dll
2008-05-27 05:17 194,560 ----a-w C:\Windows\System32\offfilt.dll
2008-05-27 05:17 143,872 ----a-w C:\Windows\System32\korwbrkr.dll
2008-05-27 05:17 11,776 ----a-w C:\Windows\System32\msshooks.dll
2008-05-27 05:17 1,671,680 ----a-w C:\Windows\System32\chsbrkr.dll
2008-05-27 04:59 18,904 ----a-w C:\Windows\System32\StructuredQuerySchemaTrivial.bin
2008-05-27 04:59 106,605 ----a-w C:\Windows\System32\StructuredQuerySchema.bin
2008-05-22 14:15 174 --sha-w C:\Program Files\desktop.ini
2008-05-22 13:56 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-05-22 13:56 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-03-12 20:19 47,360 ----a-w C:\Users\William\AppData\Roaming\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot@2008-08-16_13.17.30.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-16 20:58:50 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-08-16 20:58:50 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-08-16 17:12:43 40,960 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\rtdrvmon.exe
+ 2008-08-16 20:59:04 40,960 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\rtdrvmon.exe
- 2008-08-16 17:12:53 151,552 ----a-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-08-16 21:00:18 151,552 ----a-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-08-16 17:12:53 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-08-16 21:00:23 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-08-16 17:12:42 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-18 09:35:54 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-16 17:12:42 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-18 09:35:54 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-16 17:12:42 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-08-18 09:35:54 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-12-27 18:30:47 135,168 ----a-w C:\Windows\System32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\Windows\System32\java.exe
- 2007-12-27 18:30:47 135,168 ----a-w C:\Windows\System32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\Windows\System32\javaw.exe
- 2007-12-27 18:30:47 139,264 ----a-w C:\Windows\System32\javaws.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\Windows\System32\javaws.exe
- 2008-08-16 17:02:19 11,588 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1328678776-1752513476-1934583826-1000_UserData.bin
+ 2008-08-16 21:00:44 12,048 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1328678776-1752513476-1934583826-1000_UserData.bin
- 2008-08-16 17:02:18 73,472 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-08-16 21:00:44 73,606 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-08-16 17:02:17 57,734 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-08-16 21:00:43 58,034 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 14:09 460784]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 03:33 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 03:33 125952]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-24 21:35 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 13:37 81920]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 13:35 221184]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 12:22 221184]
"lxbkbmgr.exe"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2007-04-26 13:02 74672]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-05-03 00:16 13535776]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-05-03 00:16 92704]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"TrayServer"="C:\Program Files\MAGIX\Movie_Edit_Pro_14_PLUS_Download_version\TrayServer.exe" [2008-02-07 12:00 90112]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RMTray.exe" [2007-08-20 10:58 701736]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-08-03 19:02 36352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

C:\Users\William\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-12-27 14:33:56 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\Windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-05-16 10:27 153136 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 16:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-03-14 19:50 233472 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{56F8CB7F-D24C-4A3C-95A5-DC26B8DB888D}"= UDP:C:\Windows\System32\lxbkcoms.exe:Lexmark Communications System
"{64D812D0-6C90-490A-85F2-D12B01E832D3}"= TCP:C:\Windows\System32\lxbkcoms.exe:Lexmark Communications System
"{3F033708-1589-4B87-A0AA-222F53759CC4}"= UDP:C:\Windows\System32\spool\drivers\w32x86\3\lxbkpswx.exe:Printer Status Window
"{AA2F352A-797D-47FE-B411-EBB42E069B2A}"= TCP:C:\Windows\System32\spool\drivers\w32x86\3\lxbkpswx.exe:Printer Status Window
"TCP Query User{E0058950-1F61-43E2-A31B-0C431F8B7153}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{A5FBF95F-F6C9-48C7-B343-2494D0DB6F94}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"{494C20B4-E44A-482D-8135-2246C8B08513}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{61DBE3C3-58DB-48F4-900F-693A0FA12478}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{0CE226CB-55EC-4E4A-AB71-BC5D685DFC63}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{8B58C0FE-0E2D-4E0E-BA85-E32FBBF59D88}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F3CFE1CD-A788-4929-ACEC-324196CD2EF9}"= Disabled:UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{ABE7E23F-168D-4FF7-B8B4-61D5D03DE6F5}"= Disabled:TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{32D4DC40-7E77-428D-B83E-348314534EAF}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{10A52335-C04B-4744-B96E-B2DFDFB5F92F}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"{88EE5E2F-BA7C-4441-8752-23AA726404B4}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{C19C8BB7-4A9D-449E-9779-689F48F5318C}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{81F12BB9-744D-4FC1-90E9-1C607E6D0448}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{8B5BEEE0-E244-40D6-A622-4C7B33C096AC}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{F77392A2-DB63-4BC9-A86D-13A1AC381091}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{7B7EA464-980E-450E-A60D-CD21D5E7B479}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{F6ACE513-F8E4-4CBF-8D15-0BE69CDFEB74}C:\\kav\\kav7\\setup.exe"= UDP:C:\kav\kav7\setup.exe:Kaspersky Anti-Virus 7.0 Setup
"UDP Query User{8EB4254A-CB64-4C3A-9ACD-C9EE636758E6}C:\\kav\\kav7\\setup.exe"= TCP:C:\kav\kav7\setup.exe:Kaspersky Anti-Virus 7.0 Setup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 DLARTL_M;DLARTL_M;C:\Windows\system32\Drivers\DLARTL_M.SYS [2007-02-08 21:05]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20080813.001\IDSvix86.sys [2008-07-16 18:53]
R2 AERTFilters;Andrea RT Filters Service;C:\Windows\system32\AERTSrv.exe [2007-12-05 06:17]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-14 11:02]
R2 lxbk_device;lxbk_device;C:\Windows\system32\lxbkcoms.exe [2007-04-26 13:01]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2008-06-13 14:13]
S3 COH_Mon;COH_Mon;C:\Windows\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 14:18]
S3 UMPass;Microsoft UMPass Driver;C:\Windows\system32\DRIVERS\umpass.sys [2008-01-19 01:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\shell\AutoRun\command - J:\CDStart.Exe
\shell\Install\Command - J:\Stub.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4edd5e88-b4a7-11dc-9ebc-806e6f6e6963}]
\shell\AutoRun\command - E:\autorun.exe
\shell\directx\command - E:\DirectX\dxsetup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-16 C:\Windows\Tasks\EasyShare Registration Task.job
- C:\Windows\system32\rundll32.exe [2006-11-02 05:45]

2008-08-18 C:\Windows\Tasks\Norton AntiVirus - Run Full System Scan - William.job
- C:\Program Files\Norton AntiVirus\Navw32.exe [2007-08-26 21:19]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 08:00:02
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-18 8:01:45
ComboFix-quarantined-files.txt 2008-08-18 12:01:12
ComboFix2.txt 2008-08-16 17:18:29

Pre-Run: 240,535,334,912 bytes free
Post-Run: 240,547,516,416 bytes free

278 --- E O F --- 2008-08-14 07:09:11


Everything seems to be running fine. I have nortons antivirus now. Is there any other good programs I should have installed. What are the best to have?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users